REMARKS 

The rejections presented in the Office Action dated September 9, 2004 have been 
considered. Claim 17 is amended to correct a typographical error. Claims 1-20 remain 
pending in the application. Reconsideration and allowance of the application is respectfully 
requested. 

The Office Action does not establish that claims 1-2, 4-5, 7-10, 12-13 and 15-18 are 
anticipated under 35 USC § 102(e) by US patent number 6,516,315 to Gupta (hereinafter 
"Gupta"). The rejection is respectfully traversed because the Office Action fails to show that 
all the limitations of the claims are taught by Gupta. 

There is no apparent correspondence between elements of Gupta and limitations of the 
claims such that all the limitations of the claims are taught. It should be understood that the 
following explanation is presented without the benefit of the Office Action having presented 
any specific correspondences. Thus, if the Examiner reads Gupta's teachings differently or 
has additional specific insights, further explanation is respectfully requested. 

With respect to claim 1 , for example, the Office Action has not provided prior-art 
correspondences with respect to the entire claimed invention including for example, services 
having associated security levels, the determining of access characteristics of a session, and 
the granting of access to a service conditioned on the access characteristics of the session 
satisfying the security level requirement of the service. Furthermore, the Office Action and 
the asserted prior art have been reviewed and no portion of the prior art is apparent upon 
which the Examiner might be relying upon to support the rejection in this regard. 

Gupta discusses objects, users, roles, security classifications, and function 
classifications. Objects may be marked with a security classification (col. 4, 1. 45). Users 
perform functions on objects (col. 4, 1. 53). Users gain access to objects by having 
relationships to objects, (col. 4, 1. 55), and the relationship between a user and an object 
defines a role, and each role is defined with access rights (col. 4, 1. 62). Each access right can 
define what functions may be performed on objects of a given security classification (col. 4, L 
63). The security classification indicates the type of objects that may be accessed (col. 8, 1. 
40). Gupta's FIG. 5 shows the relationship between roles and access rights, and the security 
classifications and functions classifications that make up access rights. 

In Gupta's process, the system obtains an access request from a user for performing a 
function on an object (col. 9, 1. 61). The system finds a relationship that may exist between 
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the user and the object (col. 10, 1. 1). The system determines the security classification of the 
relationship from the access rights for the relationship (col. 10, 1. 12). The security 
classification of the requested object is also determined (col. 10, 1. 20). If the security 
classification of the relationship is greater than the security classification of the object, then 
the user is granted the requested access (col. 10, 1. 32). 

It is respectfully submitted that with this understanding of Gupta, Gupta's elements 
are insufficient to teach all the claim limitations. Specifically, the claims include limitations 
of and related to, two associations: associating combinations of access characteristics with a 
security level and associating each service with one of the security levels. Gupta teaches 
associating function classifications with security classifications but does not teach associating 
services with access characteristics. That is, Gupta's roles do not teach and are not suggestive 
of services. 

Furthermore, no apparent teaching of Gupta teaches or suggests the granting of access 
to a service conditioned on the access characteristics of the session satisfying the security 
level requirement of the service. In granting the access, both the access characteristics of the 
session and the combinations of access characteristics and associated security levels are used. 
Gupta does not appear to teach this, and the Office Action references large sections of Gupta. 

Since the Office Action does not indicate the correspondences relied upon in alleging 
that the claims are anticipated, and it is not reasonably clear which specific elements of Gupta 
are relied upon, Applicants respectfully request an explanation of the correspondences 
between all the limitations of the claims and the elements of Gupta (for example, an 
explanation of each specific one of Gupta's elements thought to correspond to access 
characteristics, security level, services, and session). Otherwise the rejection should be 
withdrawn. 

Claim 2 includes further limitations of, if the session security level does not satisfy the 
security level requirement associated with the one of the services, then prompting the 
requester for authentication data. The Office Action does not show that Gupta teaches these 
limitations. Specifically, the cited text makes no suggestion of the relative security level of a 
session and the security level of a service being used to trigger prompting a requester for 
authentication data. The cited portion of Gupta appears to teach identification of a user 
without any further discussion related to the claim limitations. Further explanation is 
requested if the rejection is maintained. 



7 



Claim 4 includes further limitations of the access characteristics including ownership 
rights of a device with which the session is maintained. The cited portion of Gupta does not 
teach these limitations. The cited portion appears to teach relationships between users and 
information objects. There is no apparent reference to a device and ownership rights. Thus, 
claim 4 is not shown to be anticipated. 

Claim 5 includes limitations of the access characteristics including characteristics of a 
network over which the session is maintained. The cited portion of Gupta teaches providing 
access to a network. There is no apparent suggestion of any determining the access 
characteristics of a network and then establishing a session security level from the access 
characteristics of the session and the combinations of access characteristics and associated 
security levels. Thus, the Office Action does not show that claim 5 is anticipated. 

Claims 7 and 8 further refine the limitations of claim 1 , and the Office Action does 
not show that Gupta anticipates these claims for at least the reasons set forth above for claim 
1. 

Claim 9 includes many of the limitation of, and related to, the limitations of claim 1. 
Thus, claim 9 and claims 10, 12-13, and 15-16 depending therefrom are not shown to be 
anticipated by Gupta for the reasons set forth above for claims 1 and the claims depending 
from claim 1 . 

Claims 17 and 18 are apparatus claims that include functional limitations similar to 
the limitations of claims 1 and 9. Thus, claims 17 and 18 are not shown to be anticipated by 
Gupta. 

The Office Action fails to establish that claims 3, 6, 11, 14 and 19-20 are unpatentable 
under 35 USC §103(a) over Gupta as applied to claims 1-2, 4-5, 7-10, 12-13 and 15-18. The 
rejection is respectfully traversed because the Office Action fails to show that all the 
limitations are suggested by the Gupta, fails to provide a proper motivation for modifying 
Gupta, and fails to show that the modification could be made with a reasonable likelihood of 
success. 

The Office Action acknowledges that the limitations of the claims 3,11, and 19 are 
not taught by Gupta, but alleges that modifying Gupta to include the limitations of claims 3, 
11, and 19 would have been obvious "because doing so would improve the quality of service 
by quickly realizing the user's device type and providing relevant service to the user." 
However, this alleged motivation is conclusory and therefore improper. For example, the 
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Office Action cites no evidence to support the assertion that the "quality of service" of 
Gupta's system could be improved. No evidence is provided to indicate how the quality of 
service would be improved; no evidence is provided to indicate what the "quality" being 
improved is; and no evidence is provided that indicates that Gupta's quality of service is in 
any way lacking. There is also no apparent showing that the modification could be made with 
a reasonable likelihood of success. 

The Office Action acknowledges that the limitations of the claims 6, 14, and 20 are 
not taught by Gupta, but alleges that modifying Gupta to include the limitations of these 
would have been obvious "because doing so would improve the dynamic ability of the system 
by allowing users select a method based on their preference and need." This alleged 
motivation is conclusory and therefore improper. The Office Action cites no evidence to 
support the assertion that the "dynamic ability" of Gupta's system could be improved, nor is it 
apparent what dynamic ability of Gupta is thought to be the target of improvement. 
Furthermore, the limitations include authenticating the requester with a selected 
authentication method and the access characteristics including characteristics of the access 
method. The Office Action does not explain what the "dynamic ability" has to do with these 
limitations. There is also no apparent showing that the modification could be made with a 
reasonable likelihood of success. 

The rejection of claims 3, 6, 1 1, 14 and 19-20 over Gupta should be withdrawn 
because the Office Action fails to show all the limitations are suggested by the combination, 
fails to provide a proper motivation for combining the references, and fails to show that the 
combination could be made with a reasonable likelihood of success. 

Withdrawal of the rejection and reconsideration of the claims are respectfully 
requested in view of the remarks set forth above. 



Respectfully submitted, 
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